In this section:

Transport Layer Security (TLS) is used for inter-realm security. TLS encrypts data between two applications. The encryption is done at the port level and only applies to the traffic between two applications.

Note

When using TLS/SCTP (which is specified in RFC 3436 and recommended by RFC 3588) the DSC limits the association to one SCTP stream, and, therefore requiring only one TLS authentication.

The Ribbon DSC supports the mechanisms recommended by both RFC3588 and RFC6733 for configuring TLS.

The differences included in these two standards are as follows:

  • the preferred way to use TLS is to do a TLS handshake before exchanging CER messages, rather than exchanging CER messages to negotiate security

  • Datagram Transport Security (DTLS) is preferred for SCTP over having one TLS context per stream

TLS Provisioning Process Based on RFC3588

The ADNs can identify themselves as being TLS secured in the CE parameter exchange. The TLS settings of the ADNs are compared against a local configuration setting.

Some combinations are thus possible:

  • ADN broadcasts NO_INBAND_SECURITY and the TLS setting is OFF - allow insecure

  • ADN broadcast TLS_INBAND_SECURITY and the TLS setting is OFF - close connection

  • ADN broadcast NO_INBAND_SECURITY and the TLS setting is ON - close connection

  • ADN broadcast TLS_INBAND_SECURITY and the TLS setting is ON - allow secured

The message flow through the DSC Platform is as follows with TLS enabled:

  1. Outgoing connection sent and/or incoming connection received.

  2. Transport layer validated.

  3. After connecting the Capabilities-Exchange-Request (CER) message is transmitted and/or received.

  4. The CER/CEA exchange must occur before the TLS handshake.

  5. The Adjacent Diameter Node (ADN) is matched to the CER and this node’s TLS flag is checked, and a set of authentication data is loaded.

  6. The TLS handshake occurs and includes:

    1. trade protocol lists for selecting the highest common protocol

    2. server sends authentication

    3. client sends authentication

    4. on successful completion, both ports have the same unique encryption

  7. The connection is ready for traffic (DWR/DWA is now exchanged).

The actual messages exchanged depend on configuration options. Critical for authentication is the general validity of the authentication files and that the passed certificates contain the matching Diameter ID.

The DSC Platforms support Certificate-based encryption only.

TLS Provisioning Process Based on RFC6733

  1. Create and configure a Security Parameter Set (for example, X) with Security Type attribute set to FULL_TLS_DTLS (see To create a Security Parameter Set and To configure a Security Parameter Set)

  2. Configure IP Security (see To configure IP Security)

  3. Create and configure an ADN Connection and set its Security Parameter Set to X (see To create an ADN Connection and To configure an ADN Connection on Configuring ADN Connections)

  4. Create a Transport Server and set its Security Parameter Set to X (see To create a Transport Server on Configuring Transport Servers)

     

Tip

Step 4 is only required if the remote end can initiate the transport connection (client-only).

 



  • No labels